System and method for communication service verification, and verification server thereof
US-2019199522-A1 · Jun 27, 2019 · US
Single sign-on techniques using client side encryption and decryption
US11283789B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11283789-B2 |
| Application number | US-202016789874-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 13, 2020 |
| Priority date | Feb 13, 2020 |
| Publication date | Mar 22, 2022 |
| Grant date | Mar 22, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An access management system (AMS) is disclosed that includes SSO capabilities for providing users secure access to protected resources within an enterprise using encryption keys generated by a client application. The AMS receives a request from a client application for a user to access a protected resource. In certain examples, the request comprises a client application identifier, a session identifier and a client public encryption key. The AMS determines if the session identifier points to a valid session and upon determining that the session identifier corresponds to a valid session, transmits information associated with the valid session to the client application. In certain examples, the information associated with the valid session is encrypted using the client public encryption key. Based on information associated with the valid session received from the client application, the AMS determines whether to grant or deny a user access to a protected resource within the enterprise.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, by a computer system, a request from a client application, the request requesting access by a user to a protected resource, the request comprising a client application identifier identifying the client application, a client public encryption key and a session identifier; determining, by the computer system, based on information stored in a data store, that the client application identifier is associated with the session identifier identifying a valid session for the user; based on the determining, obtaining, by the computer system, an encrypted session identifier stored in the data store and associated with the client application identifier, wherein the encrypted session identifier is generated by encrypting the session identifier using the client public encryption key; transmitting, by the computer system, the encrypted session identifier to the client application; responsive to the transmitting, receiving, by the computer system from the client application, a response from the client application, the response including information related to the valid session, the information related to the valid session including a second encrypted session identifier generated by the client application; determining, by the computer system, a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; determining, by the computer system, that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling, by the computer system, the user to access the protected resource; and upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying, by the computer system, the user access to the protected resource. 2. The method of claim 1 , wherein the second encrypted session identifier is generated by the client application by: decrypting the encrypted session identifier received from the computer system using a client private encryption key generated by client application; and encrypting the decrypted session identifier using a public encryption key generated by the computer system to generate the second encrypted session identifier. 3. The method of claim 1 , further comprising: determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store; and based upon the determining, denying, by the computer system, the user access to the protected resource. 4. The method of claim 1 , further comprising: performing, by the computer system, an authentication of the user to access the protected resource, the authentication performed in response to receiving an initial request from the client application prior to the request and based on determining, by the computer system that the session identifier for the client application identifier specified in the initial request is not valid; based upon successful authentication, establishing, by the computer system, a session for the user; and enabling, by the computer system, the user to access the protected resource. 5. The method of claim 4 , wherein performing, by the computer system, the authentication of the user comprises: transmitting, by the computer system, a credential information request to the client application; receiving, by the computer system, credential information associated with the user from the client application; validating, by the computer system, the credential information against stored credential information associated with the user; and based on the validating, performing, by the computer system, the authentication of the user. 6. The method of claim 4 , wherein establishing, by the computer system, the session for the user comprises: associating, by the computer system, a session identifier with the session; encrypting, by the computer system, the session identifier with the client public encryption key to generate the encrypted session identifier; and associating, by the computer system, the client application identifier to the session identifier, the encrypted session identifier and session data associated with the session. 7. The method of claim 6 , further comprising, storing, by the computer system, the client application identifier, the session identifier, the encrypted session identifier and the session data associated with the session in the data store. 8. A system comprising: a memory storing session data associated with a session; and one or more processors configured to perform processing, the processing comprising: receiving a request from a client application, the request requesting access by a user to a protected resource, the request comprising a client application identifier identifying the client application, a client public encryption key and a session identifier; determining, based on information stored in a data store, that the client application identifier is associated with the session identifier identifying a valid session for the user; based on the determining, obtaining an encrypted session identifier stored in the data store and associated with the client application identifier, wherein the encrypted session identifier is generated by encrypting the session identifier using the client public encryption key; transmitting the encrypted session identifier to the client application; responsive to the transmitting, receiving from the client application, a response from the client application, the response including information related to the valid session, the information related to the valid session including a second encrypted session identifier generated by the client application; determining a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling the user to access the protected resource; and upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying the user access to the protected resource. 9. The system of claim 8 , wherein the second encrypted session identifier is generated by the client application by: decrypting the encrypted session identifier received from the computer system using a client private encryption key generated by client application; and encrypting the decrypted session identifier using a public encryption key generated by the computer system to generate the second encrypted session identifier. 10. The system of claim 8 , wherein the processing furthe
Assignees
Inventors
Classifications
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11283789B2 cover?
- An access management system (AMS) is disclosed that includes SSO capabilities for providing users secure access to protected resources within an enterprise using encryption keys generated by a client application. The AMS receives a request from a client application for a user to access a protected resource. In certain examples, the request comprises a client application identifier, a session id…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).